I. Sarbanes-Oxley and the Emergence of the Compliance Function
The story of corporate compliance neither begins nor ends with Sarbanes-Oxley. Efforts to stamp out corruption, fraud, and other corporate criminal behavior have long underpinned the federal government’s efforts to prompt corporations to investigate and monitor their employees and customers. Sarbanes-Oxley was just one of numerous tools the government deployed to reassure the nation’s stockholders that their investments would be uncorrupted by widespread fraud.
Many corporate crime-fighting statutes and policies pre-date Sarbanes-Oxley. The Foreign Corrupt Practices Act, which forbade corporations from bribing foreign officials, was enacted in the late 1970s and directed corporations to develop a system of internal controls that kept track of payments. During this post-Watergate time period, regulatory agencies such as the Department of Defense also developed compliance-type rules for contractors competing for lucrative defense contracts. The Bank Secrecy Act and federal anti-money laundering laws forced banks to “know” their customers and (more importantly) monitor and report their suspicious bank accounts to the Treasury Department.
More broadly, in 1991, the Organizational Sentencing Guidelines, the product of the Sentencing Commission’s multi-year effort to create guidelines for federal judges tasked with sentencing corporate offenders, created a multi-factor rubric that graded corporate offenders more gently if they had in place an “effective” compliance program. The Department of Justice, meanwhile, began experimenting in the early 1990s with so-called “deferred prosecution agreements,” extrajudicial agreements that relieved the corporation of a criminal conviction in exchange for a package of commitments, including the promise to implement or upgrade one’s compliance program. The DOJ eventually memorialized the broad factors that Main Justice expected its prosecutors to consider in deciding and implementing corporate charging decisions.
The 1999 Holder Memo, named for Eric Holder, the (Democratic) Deputy Attorney General at the time, eventually became the blueprint for the Department’s approach to corporate crime and its remediation. After several iterations, it would eventually be added to the department’s Justice Manual, and would also be supplemented by a compliance manual advising of the specific characteristics that prosecutors should consider when judging a compliance program’s soundness.
Taking note of these practical developments, the Delaware Chancery court advised in an opinion written by Chancellor Allen that the corporation’s board members harbored an oversight duty to ensure that the company’s internal monitoring systems were intact. The so-called Caremark duty was eventually construed as a component of the duty of loyalty, but it applied only to a “sustained and systemic failure of the board to exercise oversight.” It remained difficult to prove a violation of such duty until a few years ago, when the Delaware courts expanded (or clarified) the Caremark duty to include more than ensuring the corporate compliance program’s bare existence, particularly where “mission critical” safety or regulatory issues were afoot.
Within this long arc, Sarbanes-Oxley occupies an interesting place. Practically speaking, its compliance-related regulations imposed modest pressure on the large, highly regulated institutions whose officers had already created departments in response to regulatory requirements and federal enforcement initiatives.
More importantly, as a rhetorical device, Sarbanes-Oxley reinforced the notion that “compliance” was an essential tool in the nation’s anti-crime toolbox, a box that was almost exclusively maintained by federal authorities. On the heels of Enron’s dissolution and Worldcom’s bankruptcy filing, Sarbanes-Oxley, along with the highly reported federal prosecutions of Enron and Worldcom executives, focused the nation’s attention on federal law enforcement agencies, particularly the DOJ and its storied United States Attorneys’ Offices, as institutions that could be relied upon to rein in corporate misconduct. Accordingly, the lawyers who advised post-Enron companies on their internal controls did so with an eye toward quelling federal investigations and avoiding federal criminal charges.
None of this is surprising when one considers several of SOX’s key compliance-related and criminal law initiatives, which included:
Changes to the Federal Criminal Code
- An increase in the maximum statutory sentences for federal prosecutions under the mail and wire fraud statutes, from five to twenty years’ imprisonment.
- The enactment of a new securities fraud statute, 18 U.S.C. § 1848, whose statutory maximum sentence was also twenty years’ imprisonment.
- The enactment of new and revised obstruction-of-justice provisions, which more broadly prohibited and punished the destruction of documents likely to be requested in investigations and judicial proceedings.
Instructions to the United States Sentencing Commission
- An instruction to the Sentencing Commission to increase the (then mandatory) Sentencing Guidelines’ recommended sentencing ranges of imprisonment for crimes relating to fraud and theft.
- An instruction to the Sentencing Commission to review its Organizational Guidelines to ensure they were sufficient “to deter and punish organizational criminal misconduct.” This language prompted the Commission to promulgate policy language defining an “effective” compliance program.
- Section 805 of the Act introduced anti-retaliation protections for corporate whistleblowers, including the ability to bring an administrative action through OSHA seeking back pay. Although these measures were ultimately eclipsed by stronger protections and eventually bounty programs, the Act was notable for these initial efforts at providing whistleblowing protection.
Statutory Changes Directed at Corporate Governance
- Section 302, which demanded the truthful certification by the CEO and CFO as to the veracity and completeness of the publicly traded company’s annual and quarterly financial disclosures.
- Section 404, which required that the company’s managers describe and attest to its “internal controls over financial reporting,” and secure an opinion from an independent auditor regarding those controls.
SOX featured many other provisions, but the foregoing are the components that heightened federal criminal law’s salience to corporate boards and to the compliance officers they would soon hire and promote.
SOX also facilitated the growth and maturation of the compliance industry and the development of compliance as an internal governance function. The purpose of developing a compliance program—an “effective” one as defined by the Sentencing Commission—was to discourage, detect, and promptly report to government enforcers internally detected instances of employee wrongdoing. Articles from this time period portray the corporate compliance department as a bridge between the company and the prosecutor’s office, the go-between that would benefit the company while also reducing the government’s enforcement load.
There were, of course, cracks in the foundation of this internal/external enforcement partnership. For one thing, the law itself never fully supported the concept. As I have argued elsewhere:
Lawyers owe fiduciary duties, duties of zealous representation, and duties of confidentiality to their clients—and certainly not to government prosecutors… . Prosecutors, in turn, owe duties to the general public—and not to corporate shareholders… . The DOJ’s Corporate Enforcement Policy may appear to have created a lay “partnership” between external enforcers and internal corporate investigators, but this model is inherently unstable.
Evidence of these conceptual weaknesses occasionally surfaced, such as when the government pressured the company to interfere in its employees’ attorney-client relationship (as with the government’s pursuit of KPMG for its tax shelter business), or when the government appeared to commandeer the company’s investigation, thereby triggering the Fifth Amendment’s privilege against self-incrimination (as in Deutsche Bank’s recent LIBOR debacle).
Notwithstanding these setbacks, the corporation’s internal policing apparatus has continued to serve as an essential crime-fighting tool. As one scholar recently observed, “[c]ompanies pour hundreds of billions of dollars into internal compliance programs meant to prevent and detect wrongdoing by their employees.” Sarbanes-Oxley did not create this apparatus from whole cloth, but it vastly reinforced it and promoted its salience. Legislation such as Sarbanes-Oxley made companies more likely to bulk up their compliance departments, and despite efforts to roll back some of Sarbanes-Oxley’s oversight, few practitioners or policymakers have argued with the idea that companies have a continuing obligation to monitor and police themselves.
II. Compliance as a Structural Puzzle
As compliance has evolved into a stable, essential function of corporate governance, scholars have approached it as a structural puzzle to be tweaked and updated as new information emerges. Fields such as behavioral psychology, systems design, and organizational theory have combined to inform this approach.
Most agree that the compliance function’s essential mission is to induce the organization to prevent, deter, investigate, and remediate wrongdoing. This multi-pronged goal promotes a series of debates of the “who,” “what,” and “how” varieties. The “who” questions ask who should implement and oversee the compliance department. Should the compliance officer be an attorney or an independent “professional”? Do we want her to report to the general counsel or directly to the board? Finally, who will we rely on to measure compliance’s activities and validate its successes or failures?
The “what” questions relate to compliance’s objectives. Does it exist solely to deter and remediate violations of law? If so, which violations of law? (Surely, no one wants a compliance function to focus on every ordinance or regulation ever written.) Does the compliance function play a role in flagging and remediating risk? What role should it play in inculcating prosocial norms and values, and should values and norms be its aim or risk and deterrence?
The “how” questions are the most concrete. How does the compliance function obtain information from the company’s employees, and how does it overcome trust issues in doing so? How does it bridge pernicious silo issues, in which the various components of the company are either unwilling or unable to effectively communicate with each other? And finally, how does the compliance function serve the firm’s interests, while also serving the interests of the government enforcement agencies, who have at times viewed the company’s compliance officers as junior enforcement officers?
Mirroring this inquiry, the legal academy’s description of corporate wrongdoing is also often described in curiously apolitical terms. Criminology’s venerated fraud triangle describes a trio of pressure, opportunity, and “neutralizations” that lead individuals to commit offenses such as fraud or bribery. A wide range of behavioral and organizational literature (much of it catalyzed by Donald Langevoort’s work) explains how tournaments, overoptimism, and herd behavior promote excessive risk-taking and goal-setting, often setting the corporation up for a big fall and revelations of wrongdoing. Business ethicists explain how blind spots and “fading” dynamics are strong enough to affect nearly everyone, depending on the situation. None of us is a monster, but all of us are vulnerable to pressures and opportunities that cause us to fall on the wrong side of legal and ethical lines.
There is something soothing to be found in these narratives, even as they illuminate compliance’s shortcomings in curbing greed and opportunism. Indeed, Sarbanes-Oxley itself betrays this optimism. Remove temptations (like corporate loans to executive officers), induce internal monitoring (by forcing corporate officers to report on and certify internal controls), ramp up whistleblowing and attorney gatekeeping (through anti-retaliation protections and up-the-ladder reporting rules), and finally claw back executive compensation (for executives whose companies issue eventual restatements), and somehow the enforcement pieces will all fall into place. Or, in more technical terms: If a corporation implements these structural innovations, its “policing agency costs” will decrease, at least just enough to make an enforcement agency’s job marginally more manageable.
Roberta Romano famously derided many of Sarbanes-Oxley’s underlying assumptions as “quack corporate governance.” A bevy of scholars responded just as lustily that she was wrong. Where compliance is concerned, one need not resolve this debate. The atmosphere that created Sarbanes-Oxley no longer exists. Two decades after a bipartisan Congress rushed legislation into existence, our national electorate is far more fractured, and their elected representatives are far less able to reach agreement on anything. Further, the corporate workplace that Sarbanes’ defenders and critics visualized is also an anachronism, as it envisioned a workplace and boardroom where individuals met and interacted in person. Accordingly, regardless of how one views the laws and regulatory provisions that enabled the compliance function to solidify in 2002, one would be hard pressed to imagine them playing out the same way 2022, in Congress much less in any virtual boardroom or hybrid workplace.
III. The Politicized View of Compliance
The remainder of this article asks what compliance looks like once we focus our attention on the political dynamics of any given company. I do not mean this approach to be a shorthand for debates over public policy. Corporations have influenced public debates for centuries. The question of how deeply corporations are or should be enmeshed in local or national political processes, or in social issues of concern, is hardly a new one. Corporate political advocacy is an important development, but not the singular focus of this Part.
Nor do I mean to invoke questions concerning the corporation’s direct influence over elections. This, too, is nothing new, even if the Supreme Court’s Citizens United case remains controversial. Finally, at least at this juncture, I do not intend to address recent efforts by numerous corporations to openly embrace diversity, equity, and inclusion (DEI) or corporate social responsibility (CSR), to diversify their boardrooms, or to consciously adopt an environmental, social, and governance (ESG) framework. These developments are unquestionably important, but they ultimately are byproducts of the degree to which our political atmosphere has changed within the past two decades.
To contextualize and understand this change, this Part begins by surfacing the phenomenon known as affective polarization, a psychological outgrowth of political partisanship. Section A introduces this concept and queries how polarization subconsciously influences compliance. Section B turns attention to the rising politicization—perceived or actual—of enforcement institutions such as the Department of Justice. Sections C and D theorize how politicization impacts life abstractly and concretely within corporate settings.
According to the latest surveys and reports, our society is more politically and socially fractured than it was even two decades ago. Citizens are polarized along multiple dimensions, including age, gender, ethnicity, class, and educational attainment. Ideological polarization, which has itself increased over the past half-century, has given way to what political scientists call “affective polarization,” the phenomenon by which partisans move beyond disagreement on specific policies and instead associate political affiliation with social identity. Affective polarization predicts that members of a particular political party will view “in group” members highly favorably and “out group” members with hostility, even when objective evidence suggests one should do otherwise. Researchers in this area disagree on the causes of affective polarization, but they agree strongly that it exists and has transformed “mild dislike” of one’s political opponents into hostility and animus. There is broad agreement as well that affective polarization has surged in the past two decades, that it extends beyond political campaigns or specific issues, and that it has the power to transform social and casual encounters.
Thus, we live in a world in which Democrats and Republicans intensely dislike each other. They increasingly choose not to live amongst or marry each other. They do not buy the same things, belong to the same civic institutions, or attend the same houses of worship. Most importantly for compliance purposes, they also prefer not to do business with or work with each other.
This preference permeates the highest echelons of corporate management. Recent scholarship by Fos, Kempf, and Toutsoura demonstrates that corporate executive teams have become “increasingly partisan” even as they have added more women to their ranks. Corporate team members are more inclined to lean toward the Republican party. Regardless of their political affiliation, they have become more partisan, and their partisanship produces “assertive matching,” whereby leaders and teams instinctively attempt to match with like-minded colleagues. As a corporate team grows more polarized, misaligned executives become more likely to depart their firms. Their departures, in turn, are followed by subsequent reductions in shareholder wealth, a phenomenon the authors themselves are unable to explain. Such partisanship is not limited to publicly held corporations. Numerous researchers have cited political partisanship in start-up firms, national law firms, across boards, and among rank-and-file employees.
Why might this be a problem for corporate compliance? Compliance has always depended on healthy degrees of interpersonal trust, deliberation, and analysis. The corporation motivates its employees to abide by the law and then takes steps to monitor wrongdoing and redress situations that encourage or permit lawbreaking. Compliance’s success relies on the willingness of mid- and low-level employees to voice their concerns and communicate their knowledge to internal compliance officers and other high-level officials within the firm. For firms to detect and report wrongdoing, as well as to detect and redress vulnerabilities to wrongdoing, employees and supervisors must respect and trust each other and their organization’s processes.
Extreme polarization reduces trust and quashes group deliberation. When groups are polarized, “outsider” opinions are at risk of being disregarded, suppressed, or self-censored. Even worse, when a polarized group obtains new information, its members fail to rationally update their assumptions and shift policies. Instead, they are likely to engage in biased assimilation. That is, they may cherry pick and distort the information they have received so that they may affirm their prior beliefs. Instead of moving away from objectively incorrect assumptions, they will double down on those beliefs, making decisions that either cause or threaten societal harm.
These developments should concern any scholar invested in compliance’s success. The issue isn’t simply one of structure, of making sure information moves efficiently from point a to point b. Nor is it one of ensuring that a firm measures and validates its rosy assertions of good citizenship and adherence to law. The problem goes deeper than that. Consider the extent to how more politically fractured our society is today than it was two decades ago. Sarbanes-Oxley was itself a piece of bipartisan legislation, enacted in the wake of Enron’s fall, concurrent with a series of criminal prosecutions and a well-regarded task force. It is more than a thought experiment to ask whether so sweeping a bill would receive the level of initial support it received back then.
When corporate teams and rank-and-file employees are politically polarized, policies and facts that raise compliance concerns are apt to be distorted and misunderstood. Polarization becomes the ultimate information silo, keeping one person from trusting—and therefore openly talking—to another. Compared to poorly designed systems, affective polarization’s psychological silo creates a far more daunting challenge for reformers. It’s difficult enough to ensure that one department shares information freely with another. It is far more difficult to scale the psychological supports an employee erects to protect herself, particularly when political partisanship causes her to invest in the belief that “out” groups are invested in undermining her well-being.
Now, one might argue that political partisanship has always been a challenge for compliance officers. But social science indicates that polarization and partisanship are weightier issues today than they were two decades ago. Moreover, our political fights are indelibly intertwined with disputes over corporate power and governance. Corporate social responsibility (CSR) and environmental, social, and governance (ESG) concerns have surged to the forefront of debates about corporate governance and securities disclosures. For an employee, her employer’s political advocacy and social governance efforts (sometimes referred to as “brand activism”) makes those political cleavages feel more salient and more fraught, up and down the corporate ladder. Whether these political activities are benign, positive contributions to social welfare, or in fact cynical exercises in performative posturing, they all cue identarian impulses by reminding corporate employees where each political party stands on a given issue. Heated political elections and social media further ensure that political disputes impact the workplace, even if subconsciously. For a society whose members frequently equate “work” with personal identity, workplace polarization is therefore far less of an “if ” than a “when.”
Notwithstanding the foregoing, we should consider the following caveat. Polarization may indeed be a weightier issue than it was two decades ago, but how and where it manifests itself is far from settled. It might affect some industries more than others. It might impact certain types of questions to a greater degree than others. And it may become more salient following a particular regime change, a hard fought election, or a highly disruptive court case. Thus, for the compliance officer, polarization is a chronic background problem that exists but is still difficult to pinpoint or measure with any degree of precision. It is a variable that could easily skew and undermine compliance, but it is just amorphous enough to elude effective redress and neutralization.
For years, the DOJ, a de facto regulator of corporate compliance, has been able to successfully avoid claims of partisanship and politicization. Particularly where corporate crime and compliance are concerned, most of the DOJ’s harshest detractors have shied away from openly partisan attacks. Critics might complain that the Department is too sluggish in pursuing corporate officers, or that it has overreached in its treatment of a given corporate defendant, but for the most part, the Department’s failures have been attributed to faulty prosecutorial assumptions or weak structures, and not pure partisan alignment. If affective polarization continues to grow, this universalist perspective on federal enforcement may well be overtaken by a more polarized view of DOJ successes and failures.
Those familiar with the Department of Justice’s contemporary treatment of corporate wrongdoing often trace the DOJ’s corporate crime policies back to Eric Holder’s 1999 memo advising of the standard factors prosecutors should weigh. Holder was the Deputy Attorney General during the Clinton Administration’s waning years. When George Bush was elected president, Larry Thompson became the Deputy Attorney General, and the Holder Memo was superseded by the Thompson Memo.
There were, of course, differences between the Holder and Thompson memos, but there was far more that united them than divided them. Both memos began from the premise that corporations were subject to respondeat superior’s sweeping theory of vicarious criminal liability. Both used the same general framework to weigh criminal charges versus a deferred or non-prosecution agreement. And both emphasized the value in inducing corporations to self-police and voluntarily cooperate with federal prosecutors in bringing individual officers and employees to account. They might have utilized different tools or language, but these were the kinds of differences that made for good debates among academics and practitioners. Thus, corporate crime policy was more or less apolitical, or at least nonpartisan.
Jennifer Nou observes that the term “politicized” is usually an epithet accusing an agency’s “political appointees [of acting] in a nontechnical manner to achieve some partisan outcome.” An agency becomes overly “politicized” when its enforcement decisions lack objective explanation or appear designed to reward a leader’s friends and punish his enemies.
Not every controversial policy decision is the product or evidence of politicization. For example, the Department of Justice might decide to shift more of its resources toward the investigation and prosecution of white-collar crime and away from immigration and drug enforcement (or vice versa). These are of course important policy decisions, but they resonate differently from a decision to punish Company A because its board is too “liberal” or reward Company B because its owners are “conservative.”
To repel claims of politicization and partisanship, the Department of Justice’s leaders and supporters have insisted on maintaining a strong independence norm, putting in place formal and informal constraints to limit the extent to which a President can deploy the government’s punitive might or pull punches when the circumstances might warrant. In their historical account of the DOJ, Bruce Green and Rebecca Roiphe elaborate:
Just as expertise formed the cornerstone of the administrative state, so too professional independence became the defining characteristic of the DOJ… . It grew to denote a distance from both the changing tide of popular opinion and the ambitions of partisan politics. In the wake of the Watergate scandal, the debate over how to foster and ensure independence culminated in the explicit articulation of the separation of the DOJ from presidential control.
Thus, independence and professionalism are two strong values that not only define the DOJ and its enforcement personnel, but which have also served as important elements in providing the Department requisite distance from partisan political disputes. A “distanced” DOJ is one that is more likely to enjoy public support and respect and to avoid the animus associated with affective polarization.
Here too, the story takes a turn. Over the past two decades, the DOJ’s studious independence, intended to protect it from claims of political partisanship, has faded. Early signs occurred during the Bush administration, when congressional hearings revealed efforts to dismiss United States Attorneys who were thought to be insufficiently loyal to the Bush administration’s political agenda. In later years, the DOJ was excoriated for its failure to successfully prosecute corporate executives responsible for the 2008 Financial Crisis. But these ills—distracting as they may be from the DOJ’s core mission—are conceptually distinct from the issues that arose during and toward the end of the Trump administration’s tenure. During and after the Trump presidency, the DOJ became “politicized,” both in reality and perception. Numerous accounts indicate that the Trump administration’s law enforcement decisions were made with an eye toward pleasing the former president, punishing his enemies, or somehow evening the “score” between Democrats and Republicans.
Post-Trump, the DOJ has continued to attract politicization complaints—merited or not. Despite the current Attorney General’s sterling reputation, numerous news organizations question whether his decisions are or could be viewed as “partisan.” The Department’s decisions to investigate efforts to overturn the 2020 election; to pursue individuals who participated in the January 6, 2020, insurrection; and to investigate and pursue the former president’s failure to return materials to the National Archives have all been castigated at one point or another as politically motivated.
How does the evolving perception of federal enforcement affect internal corporate compliance? Recall, compliance regulation has become nationalized and entwined in federal criminal law. The accounting fraud prosecutions that followed Enron and Worldcom’s implosions focused the nation’s attention on federal criminal law and its enforcement. The DOJ has long taken advantage of this focus by publicly advising of the corporate behaviors that would draw criticism and praise from federal prosecutors, and by fashioning non-binding policies that provide further guidance on when corporations can expect to receive leniency in exchange for information. Now, however, if federal prosecutors become more politicized, corporate compliance officers will rightfully interpret prosecutorial decision-making through a more partisan and polarized lens. Notice, then, the double whammy: polarization and partisanship threaten the compliance function’s ability to collect information from managers and employees, and at the same time, they also dampen the firm’s willingness to voluntarily disclose information to regulators and prosecutors. Information thus encounters two difficult-to-remove bottlenecks.
In sum, given the centrality of the corporate compliance function’s relationship with government enforcers, it is difficult to overstate politicization’s negative impact on corporate compliance. In the next two sections, I flesh out what that impact might look like in both abstract and concrete terms.
C. Silos and Distrust
Much of compliance’s challenge boils down to three issues: First, because corporate life is highly specialized, information is necessarily compartmentalized. A similar degree of compartmentalization exists throughout the enforcement ecosystem, as vertical and horizontal specializations in enforcement create barriers to the flow of information. As Veronica Root-Martinez has deftly explained, compliance-related information inside and outside the firm eventually becomes siloed. Second, because corporate officers, rank-and-file employees, and government agents all have different agendas and interests, a pervasive trust vacuum further prevents information from making its way through the corporation (up to and including the board) and out to the stakeholders and enforcement agencies who could best use that information. Finally, in addition to silos and trust vacuums, compliance is further hampered by self-interest. When managers and mid-level supervisors can benefit from turning a blind eye and remaining silent (or simply convincing themselves that nothing untoward has happened), that is how they are likely to behave.
One can argue that much of what we call “compliance regulation” is aimed at overcoming the triad of silos, trust issues, and opportunistic self-interest. That’s all well and good if all one cares about is structure and the gaps that form when systems are neglected or poorly designed. Once we acknowledge polarization and politicization, however, the challenge of redressing this triad becomes more difficult. An information silo caused by poor system-design functions quite differently from the psychological silo erected out of deep-seated animus—and fear—of one’s political adversaries. To be clear, this fear is not necessarily misplaced. Researchers have found that political “[p]artisanship motivates intergroup discrimination.” The worker fearful that a comment or challenge to authority will be viewed in a particularly negative way may well be right.
Trust issues within the company, as well as between the company and government enforcers, pose difficult hurdles. They are not insuperable, however, if one creates a credible architecture of incentives and behavioral supports. That is indeed the compliance function’s promise—that it will coordinate the relationship between employees and managers, and between managers and outside enforcers. It is also the primary reason structural innovations are assumed to be a “net good” even if they are initially costly. Notice, however, how easily compliance’s architecture loses its effectiveness if the corporation’s employees or officers become convinced that “politics” will supersede objective analysis and wipe out written policy. “Structure” cannot do too much if a company’s employees see themselves as living in a world of hostile enemies.
My point here is not to predict some sort of Armageddon or total breakdown of the firm. Rather, it is to say that as our society becomes more polarized, and our enforcement institutions more politicized, the information bottlenecks of two decades ago will become stickier and more difficult to unclog. Information will continue to be suppressed and eventually lost, thereby causing the compliance function to suffer. Corporate teams will be less adept in identifying risks and less likely to pivot when those risks become more noticeable. In sum, compliance departments that continue to rely on the same techniques and methods that were once heralded as effective should eventually produce worse outcomes. Firms will, yet again, spend lots of money, only to ask why the compliance department failed to prevent tomorrow’s scandal.
In the wake of scandals that result in large losses of money and systemic shocks, the compliance officer will find herself in a far more precarious position than she might have once expected. Compliance will, despite its many bells and whistles, find itself fighting for its future survival. To the architects and proponents of sweeping legislative reforms such as Sarbanes-Oxley, that may be cause for disappointment, if not outright surprise.
D. Practical Implications for Compliance and the Workplace
The preceding prediction—that polarization will continue and indelibly impact the corporate workplace and its broader enforcement network—is reflected in several workplace and enforcement-related trends, three of which I discuss here.
The first pertains to artificial intelligence (AI). AI is and has become a major feature of the private sector. Scholars such as Mihailis Diamantis have already written of the ways in which artificial intelligence impacts the incidence of corporate wrongdoing and compliance. To a compliance officer, machines are both a boon and a burden. On the one hand, machines cannot fall prey to momentary impulses or moral failings; nor might they trigger liability under federal law’s respondeat superior doctrine. But machines can of course do quite a bit of harm depending on how they are programmed or how they ultimately “teach” themselves. Moreover, because compliance has always depended on and included in its mission the inculcation of pro-social norms and values, the compliance function itself can never be fully automated. Compliance can use machines, but it should never be replaced by machines.
Notice how polarization and politicization alter this equation. In the abstract, there is some optimal mix of persons and machines that operate and govern the firm, hopefully all in compliance with the law. In a real world characterized by increasing levels of polarization and politicization, however, mechanization appears more desirable, at least initially. Machines do not belong to political parties. They don’t fight over political issues or see their colleagues through a partisan prism. Nor do they create the political and social misalignment problems that underpin polarization and indirectly undermine corporate efficiency. Machines, moreover, offer companies the ability to disclaim bias or polarized thinking when someone questions a company’s decision. Thus, we may end up with more AI and a greater reliance on machine-thinking than many would find optimal.
This is a problem on two levels. First, one can imagine multiple sectors and fields where an excessive reliance on AI produces worse outcomes. The field of compliance, for instance, relies on trust-building, information flows, and iterative relationships. To that end, one would expect interpersonal contact to be superior to machines in developing the kinds of norms and deep personal ties that compliance officers rely on to detect and prevent wrongdoing.
Moreover, an overreliance on machines may ironically strengthen affective polarization, advancing a pernicious feedback loop. Political psychologists posit that the best way to reduce affective polarization is to maintain structured settings in which different people can civilly interact with each other and decrease their hostility toward out-groups. The workplace that replaces its employees with machines reduces opportunities for these healthy interpersonal contact opportunities To put it another way, affective polarization skews our preferences in the direction of machines and an overreliance on machines reinforces affective polarization.
A similar dynamic is embedded in the debate over remote work. As Covid-19 recedes, supervisors are debating how much to lean into this trend, and the debate is itself polarized along different socioeconomic lines. Some workers never left the workplace, others have yet to return, and many others have constructed a hybrid work week.
How remote work impacts the incidence of corporate wrongdoing is difficult to predict and calculate. The vaunted “fraud triangle” tells us that deceptive crimes such as fraud are contingent on a triad of factors, namely opportunity, pressure, and self-rationalizations. From a pressure standpoint, the fact that employees can work remotely can either empower employees (since they can apply for and accept jobs in locations far from home), or strengthen the hands of employers, who are no longer restrained to hiring from a specific location. As for opportunity, for certain misconduct (including fraud and bribery), remote work could theoretically narrow pathways to violating the law, as employees can no longer easily speak to each other in person. (Savvy fraudsters should shy away from conspiring over email or recorded tele-meetings.) At the same time, remote work can weaken the very norms and social ties that restrain employees from violating rules. Like AI, remote work reduces interpersonal, face-to-face contact among employees, suppliers, customers, and regulators. Less contact, in turn, may set us up for more affective polarization. And finally, for certain industries, remote work could affirmatively increase the incidence of wrongdoing by causing a notable decrease in the likelihood of its prompt detection, as compliance officers and would-be whistleblowers lack the ability to witness and promptly act upon suspicions of wrongdoing.
Sung Hui Kim highlights this point in her discussion of in-house attorneys as valuable gatekeepers. Information makes its way to gatekeepers through “formal” channels (e.g., reporting and disclosure requirements) and through “informal” channels, including “accidental, everyday social interactions among employees of the company who share the same physical space.” Notice the assumption upon which Kim’s observation is built: that employees and inside attorneys (who could just as easily be replaced by compliance personnel) share physical space. If informal “information channels” benefit from fortuitous encounters, compliance personnel ought to resist work-from-home’s expansion, all else being equal. After all, if it is water-cooler gossip that enables the compliance department to glean important information, work-from-home eliminates that information channel, leaving the firm worse off.
Here again, the reminder that we are undergoing a major shift in how we feel about “out-groups” provides a potent explanation for remote work’s popularity. Even if remote work increases the risk of undetected wrongdoing—and inadvertently creates certain information silos —it may promote psychological benefits that make a polarized workplace more palatable. People who work remotely may be less likely to strike up conversations about politics. (They certainly are less likely to strike up any unplanned conversation, so political ones ought not to be any different.) Indeed, remote work may be the mechanism that enables an officer or employee to remain on the job, even when their politics are out of alignment with the larger group. This, perhaps, is one of the undiscussed silver linings of working from somewhere other than an office: it reduces the interpersonal costs that arise out of being a member of a misaligned team. Accordingly, we might hope that insofar as it paves the way for more heterogenous working groups, remote work might also facilitate a workplace with less herdlike behavior, less political self-sorting, and more deliberative and valuable decision-making.
Notice, then, the dilemma: the very mechanism that deflates polarization’s costs may also increase the risk of noncompliance. Without a supervisor or colleague nearby, it may be easier for an employee to commit fraud, bribery, or regulatory violations. But it may also be easier for that employee to make peace with people who adhere to different beliefs and ideologies.
Polarization and politicization shed additional light on a third trend, which pertains to compliance’s enforcement Although it is difficult to say this with certainty, it certainly feels as if we are witnessing a defederalization of corporate compliance enforcement.
Sarbanes-Oxley may one day be viewed as a high-water mark in the federal system’s regulation of corporate compliance. If we look back on this time period, we might conclude that the typical corporate compliance officer within a large or mid-size company was well versed in federal criminal and regulatory law. She hired attorneys at the top law firms to advise her on how best to deal with federal prosecutors and regulators, from the DOJ, to the SEC, to the local United States Attorneys’ Offices. She faithfully reviewed updates to the DOJ’s charging memos and Organizational Sentencing Guidelines; and she was careful to follow the internal governance obligations set forth in legislation such as Sarbanes-Oxley and regulations set forth by the SEC. No wonder, then, that the companies who could afford to do so hired former prosecutors and regulators to staff their compliance departments and represent the company in corporate criminal inquiries.
Today, our compliance officer would be well advised to look beyond federal law. Corporate wrongdoing can be pursued globally, locally, and by civil complaint. As a result, compliance is no longer solely the federal government’s domain. Indeed, from this perspective, it may be highly fortuitous that the Delaware court’s invigorated Caremark approach surfaced when it did, in 2019. When the federal government’s enforcement agencies lose political support and endure an erosion of legitimacy, we welcome other sources of enforcement to fill the gap.
To that end, Delaware’s re-emergence as a key regulator of corporate compliance is no accident. Indeed, it arguably represents a reversal of the “symbiotic federalism” concept that Marcel Kahan and Edward Rock heralded in 2005. Speaking of the relationship between federal and state corporate regulators, the professors wrote:
If Delaware is not able to regulate certain conduct effectively, it is probably in its interest to have this conduct regulated on the federal level (or by other states) to fill the lacunae in its own law. Without such federal regulation, continued and unsanctioned wrongdoing could result in a populist backlash against Delaware as the provider of an ineffective regulatory regime … . [B]y making the system as a whole less scandal-prone, federal regulation reduces the likelihood of a populist attack.
The authors, writing in 2005, were eerily prescient about how populist anger might engulf government institutions. The only point the authors failed to predict is that the federal government itself eventually became the target of such attacks.
There is nothing per se problematic about shifting from a federal approach to a more decentralized framework that emphasizes state and local enforcement personnel. If society finds state and institutions more democratically responsive to public demands, that shift may in fact be welcome. But here again, our experience with corporate debacles of the type that birthed Sarbanes-Oxley might give us pause. The very scope and complexity of corporate wrongdoing has long served as our reason for relying on a strong, federally coordinated enforcement response. If the federal government’s enforcement apparatus does in fact become so “politicized” that it loses its legitimacy and ability to influence corporate behavior, it is far from clear that either state or local institutions will develop the necessary bandwidth to pick up the federal government’s slack.
It is beyond debate that compliance has solidified into a standardized, well-regarded governance function within large and publicly held corporations. Nevertheless, for reasons outside the compliance industry’s control, corporate compliance remains fragile. If our society becomes more polarized and our enforcement institutions become more politicized and partisan, these developments inevitably will undermine the firm’s internal compliance apparatus and the broader web in which corporations and enforcement agencies operate. Compliance is, after all, a story of relationships as much as it is a story of architecture, systems, and metrics. We know from the burgeoning literature on political psychology that our political views clearly impact how we receive information and how we see the world and each other.
For all those reasons, those of us invested in compliance’s endurance should pay more attention to politics and its interaction with workplace psychology. For academics, this prescription arises at a fortuitous moment. Scholars have already begun to track the relationship between political partisanship and workplace behavior, and between political affiliation and corporate teams. Compliance scholars would do well to mine these literatures for their implications. Two decades ago, a legal academy that had just commenced its extended study of behavioral economics and social norms fruitfully exploited the behavioral and organizational psychology fields to better understand the dynamics of corporate wrongdoing. Today, the academy should turn its attention to a different set of dynamics. To do otherwise is to set ourselves up for another round of corporate wrongdoing and failures.